exploit the possibilities

Synology DSM 4.3-3776 XSS / File Disclosure / Command Injection

Synology DSM 4.3-3776 XSS / File Disclosure / Command Injection
Posted Sep 10, 2013
Authored by Andrea Fabrizi

Synology DSM versions 4.3-3776 and below suffer from remote file download, content disclosure, cross site scripting, and command injection vulnerabilities.

tags | exploit, remote, vulnerability, xss
MD5 | 6c00be8290adce9b359270546e099bd6

Synology DSM 4.3-3776 XSS / File Disclosure / Command Injection

Change Mirror Download
Title: Synology DSM multiple vulnerabilities
Version affected: <= 4.3-3776
Vendor: Synology
Discovered by: Andrea Fabrizi
Email: andrea.fabrizi@gmail.com
Web: http://www.andreafabrizi.it
Twitter: @andreaf83
Status: unpatched

Synology DiskStation Manager (DSM) it's a Linux based operating
system, used for the DiskStation and RackStation products.

1] ======== Remote file download ========
Any authenticated user, even with the lowest privilege, can download
any system file, included the /etc/shadow, samba password files and
files owned by the other DSM users, without any restriction.

The vulnerability is located in "/webman/wallpaper.cgi". The CGI takes
as parameter the full path of the image to download, encoded in ASCII
Hex format.
The problem is that any file type can be downloaded (not only images)
and the path validation is very poor. In fact the CGI checks only if
the path starts with an allowed directory (like
/usr/syno/synoman/webman), and this kind of protection can be easily
bypassed using the ../ attack.

For example to access the /etc/shadow:

GET /webman/wallpaper.cgi?path=AABBCCDDEEFF11223344 HTTP/1.1
Cookie: stay_login=0; id=XXXXXXXXXXX

2] ======== Command injection ========
A command injection vulnerability, present on the
"/webman/modules/ControlPanel/ modules/externaldevices.cgi" CGI,
allows any administrative user to execute arbitrary commands on the
system, with root privileges.

POST /webman/modules/ControlPanel/modules/externaldevices.cgi HTTP/1.1
User-Agent: ls
Cookie: stay_login=0; id=XXXXXXXXXXX
Content-Length: 128


Putting the command to execute as the User Agent string, after the
request the output will be ready into the /tmp/output file.

3] ======== Partial remote content download ========
For the localization DSM uses some CGI, that takes the lang parameter
(e.g. "enu" for english) and returns a Json object containing the
localized strings in a dictionary format.

The strings are taken from a local file with the following path:

The "/strings" appended at the end of the path prevents a path
injection, because any value injected using the "lang" parameter will
be invalidated (in other words, it's possible to read only files named
"strings"). But, the interesting thing is that the full path of the
strings files is built using a snprintf function like that:

snprintf(&s, 0x80u, "texts/%s/strings", lang)

This means that putting a lang value big enough, it's possible to
overflow the 128 byte allowed by the snprintf and take out the
"/strings" from the built path.

For example, the lang value
///////////////////../../../../../etc/synoinfo.conf" allow to get the
/etc/synoinfo.conf file content.

The second problem is that the input file taken by the CGI must be
formatted in a key/value way: key1=string1

In other words, to get some content from a generic file it's necessary
that the file contains at least an "=" for each line (this is the
reason why I called the vulnerability "Partial remote content

At first glance it may seems very limiting, but, seen that it's
possible to read directly from the disk block device (e.g.
/dev/vg1000/lv), the amount of data dumped is very huge. In my tests I
was able to dump around the 25/30% of the drive (tested with mixed
content, like documents, images, generic files). It's possible to dump
data from any drive connected. Interesting data can be also dumped
from the /proc vfs.

This vulnerability impacts two different CGI and is exploitable
without authentication by any remote user:


GET /scripts/uistrings.cgi?lang=XXXXXXXXX HTTP/1.1

In the system there are two other uistrings.cgi, but are not affected.

4] XSS
A classic Cross-site scripting affects the following CGI:

Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    4 Files
  • 12
    Jul 12th
    4 Files
  • 13
    Jul 13th
    14 Files
  • 14
    Jul 14th
    17 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By